As I'm posting this, it's 00:18 on the 1st of April in Auckland, New Zealand.

But there aren't that many Conficker infections in New Zealand to begin with.

Infection situation in South Korea is more interesting; it's in the TOP 5 infected countries. And it's already 20:18 on the 31st in Seoul right now.

So, when exactly is Conficker activating?

It goes like this:

Conficker checks the local clock every 90 minutes (in some cases even more frequently)

The check is done with Windows GetLocalTime function

GetLocalTime gives the local time, based on the local time zone

Because of this, machines around the world are returning different times

Clock skew affects this as well

But not by much, as Windows machines will sync their local clock with time.windows.com once a week

Once the local clock says it's April 1st, Conficker will collect a date from the net

This means that machines in Australia will already be collecting a date from the net when machines in Hawaii aren't.

Conficker's net time collection uses several large websites to get the date. These are sites such as:

adobe.com

answers.com

baidu.com

bbc.co.uk

comcast.net

disney.go.com

ebay.co.uk

facebook.com

imdb.com

megaporn.com

miniclip.com

rapidshare.com

torrentz.com

typepad.com

wikimedia.org

yahoo.com

youtube.com

The HTTP header time on these sites is very accurate and very close to each other.

You can check these yourself: simply connect to port 80 of any website with netcat or telnet. In Windows, simply run "telnet google.com 80". Once connected, type (blindly) "GET /" and hit enter a couple of times. You'll get a screenful of results, including a "Date:" field.

Here's some sample HTTP HEAD returns from websites that Conficker uses to check the date. These were checked earlier this morning:

When the local clock says it's April 1st, Conficker will fetch the date values from the above sites and will use these values in an algorithm to generate 50,000 unique domain names. Do note that even if the date from the web sites says it's March 31st, Conficker would still activate if the local clock says it's April 1st.

The machines that are infected by Conficker.C and are turned on, will change modes between 00:00 and 01:30 on April 1st, based on machines own clock. The ones that are turned off, will change modes soon after they are booted up.